Re: Using AD authentication with an external LDAP for authorization

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Dec 08, 2008 at 11:31:21AM +0000, Stefan Stefansson wrote:

> 1) user
> credentials are replicated over to the LDAP server from AD which means
> that LDAP would handle all authentication or

You will never get the existing passwords out of AD because they
are not there.

If the people running the AD domain are prepared to co-operate
you may be able to load a 'password checker module' into the AD
domain controllers. This could tell you whenever a new password is
set (and pass over the cleartext password). This allows you to
keep up to date with new accounts and password changes.

> 2) LDAP server would
> delegate authentication for users it cannot authenticate to the AD
> server but otherwise it would handle the users it knows.

That may be easier - for one thing you do not need to do anything
scary to the central AD servers. See 'Pass-Through Authentication'
in the Admin Guide:

	http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

In principle you could use either LDAP or Kerberos access to the
AD domain to implement this, though I think LDAP would be easier.

It is also worth looking at the contributed slapd modules, as I think
there is one that delegates authentication to a remote AD and then
builds a local entry if the password is OK. smbk5pwd perhaps?

Whichever way you go, you will need some regular process to deal
with account updates and deletions.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------